Computer software, including operating system and application software, is often stored as files on a writable storage device, such as a hard disk drive of a computer system on which the software is to be executed. These files are vulnerable to damage or corruption that can be either accidental or intentional. For example, a user or an application program may accidentally delete or overwrite a file, or a sector of the hard disk may fail, resulting in the loss of some of the data in a file. Perhaps more frequently, the computer system may be subject to a malicious attack, in which an attacker may attempt to add, remove, or otherwise tamper with one or more software segments in a file to cause the computer system to behave in some unauthorized and/or undesirable manner. Such unwanted software is generally referred to as “malware,” which may include viruses, worms, Trojan horses, adware, spyware, rootkits, and the like.
Several conventional techniques are available for detecting and restoring corrupted files (e.g., those infected by malware). For example, an anti-malware program may be installed on a computer system to scan the hard disk for any files that may have been corrupted by malware. Such scanning may take place according to a predetermined schedule or upon a user's request. Some anti-malware programs may also be capable of “real-time” protection, where files are scanned when they enter the computer system (e.g., when a user receives an email attachment or downloads a file from a web site), or when they are loaded into the system's active memory (e.g., when a user attempts to open or execute a file).
Once the anti-malware program identifies a file as being potentially corrupted by malware, a repair tool may be used to undo the damage to the file. The repair tool may be programmed to recognize specific patterns of damage that are known to be associated with certain types of malware, and may attempt to repair the corrupted file based on the type of malware that is detected. For example, the repair tool may recognize and remove software code that is characteristic of the detected malware.
An alternative approach is to monitor certain registered files (e.g., critical operating system files) for unauthorized modification, irrespective of the possibility of malware. For example, a small number of operating system components such as package installers may be authorized to modify the registered files, so that modification by any other software component may be deemed unauthorized.
When an unauthorized modification to a file is detected, the modified copy may be replaced immediately by a copy of the same file retrieved from a local cache on the computer system. If that particular file is not available from the local cache, the user may be prompted to provide an original copy of the file, for example, by providing an installation or recovery disk.